Configure Multiple Users for Shadowsocks-libev

For example, Cloud and Tifa, two AVALANCHE members, are planning to deploy shadowsocks-libev services on the same VPS to bypass the firewall of Shinra Inc. In this case, they could simply create cloud.json and tifa.json configurations with different ports, passwords and encryption methods in /etc/shadowsocks-libev directory. Then enable and start the systemd services using the following commands:

sudo systemctl enable shadowsocks-libev-server@cloud.service --now
sudo systemctl enable shadowsocks-libev-server@tifa.service --now

The status of shadowsocks-libev instances could be checked with the following commands:

sudo systemctl status shadowsocks-libev-server@cloud.service
sudo systemctl status shadowsocks-libev-server@tifa.service

You can start shadowsocks-libev instances with the following commands:

sudo systemctl start shadowsocks-libev-server@cloud.service
sudo systemctl start shadowsocks-libev-server@tifa.service

References
https://blog.zzhou612.com/2019/02/15/configure-multiple-users-for-shadowsocks-libev/

Softether on VPS Using Local Bridge

Local bridge Setup

VPN Server IP: 192.168.7.1

VPN Client IP Range: 192.168.7.50-192.168.7.60

Tap Device name: tap_soft

ifconfig tap_soft
apt-get install dnsmasq
nano /etc/dnsmasq.conf
interface=tap_soft
dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h
dhcp-option=tap_soft,3,192.168.7.1

config tap

ifconfig tap_soft 192.168.7.1

Add this file to /etc/sysctl.d/to enable ipv4 forwarding

/etc/sysctl.d/ipv4_forwarding.conf

Wih this content

net.ipv4.ip_forward = 1
sysctl --system

Then we add a POSTROUTING rule to iptables

iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [YOUR VPS IP ADDRESS]
# /etc/init.d/vpnserver restart
# /etc/init.d/dnsmasq restart

 

References
http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/

How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04

sudo apt-get install strongswan strongswan-plugin-eap-mschapv2 moreutils

Creating a Certificate Authority

mkdir vpn-certs
cd vpn-certs
ipsec pki --gen --type rsa --size 4096 --outform pem > server-root-key.pem
chmod 600 server-root-key.pem
ipsec pki --self --ca --lifetime 3650 \
--in server-root-key.pem \
--type rsa --dn "C=US, O=VPN Server, CN=VPN Server Root CA" \
--outform pem > server-root-ca.pem

Generating a Certificate for the VPN Server

ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-server-key.pem
ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert server-root-ca.pem \
--cakey server-root-key.pem \
--dn "C=US, O=VPN Server, CN=server_name_or_ip" \
--san server_name_or_ip \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem
sudo cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem
sudo cp ./vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem
sudo chown root /etc/ipsec.d/private/vpn-server-key.pem
sudo chgrp root /etc/ipsec.d/private/vpn-server-key.pem
sudo chmod 600 /etc/ipsec.d/private/vpn-server-key.pem

Configuring StrongSwan

sudo cp /etc/ipsec.conf /etc/ipsec.conf.original
echo '' | sudo tee /etc/ipsec.conf
sudo nano /etc/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

Configuring VPN Authentication

sudo nano /etc/ipsec.secrets
server_name_or_ip : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
your_username %any% : EAP "your_password"
sudo ipsec reload

Configuring the Firewall & Kernel IP Forwarding

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p udp --dport  500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.10.10.10/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.10/24 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -j MASQUERADE
sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.10/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
sudo nano /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0


net.ipv4.ip_no_pmtu_disc = 1
sudo reboot

Restart if required

systemctl restart strongswan

References

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
https://www.howtoforge.com/tutorial/how-to-setup-ikev2-vpn-using-strongswan-and-letsencrypt-on-centos-7/
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

Run SoftEther VPN Client on Linux

sudo vpnclient start

Run SoftEther VPN Client Manager and configure it, then connect

sudo dhclient vpn_vpn
sudo ip route add 160.235.81.120/32 via 192.168.1.1 dev wlp3s0
sudo ip route del default via 192.168.1.1 dev wlp3s0

Then change the dns in resolv.conf

Setup PPTP Server on Ubuntu 16.04

apt-get install pptpd
nano /etc/pptpd.conf
localip 10.0.0.1
remoteip 10.0.0.100-200

Setup authentication
adding users and passwords. Simply add them to /etc/ppp/chap-secrets

nano /etc/ppp/chap-secrets

Add DNS Servers

nano /etc/ppp/pptpd-options
ms-dns 8.8.8.8
ms-dns 8.8.4.4
service pptpd restart

Setup Forwarding

nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

Create a NAT rule for iptables

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Preserving Iptables Rules
https://pupli.net/2017/12/22/set-up-openconnect-vpn-server-ocserv-on-ubuntu-16-04-17-10-with-lets-encrypt

References
https://www.digitalocean.com/community/tutorials/how-to-setup-your-own-vpn-with-pptp

Install and Configure Shadowsocks with obfusaction

# Debian / Ubuntu
sudo apt-get install --no-install-recommends build-essential autoconf libtool libssl-dev libpcre3-dev libev-dev asciidoc xmlto automake

git clone https://github.com/shadowsocks/simple-obfs.git
cd simple-obfs
git submodule update --init --recursive
./autogen.sh
./configure && make
sudo make install

On the server:

ss-server -c config.json --plugin obfs-server --plugin-opts "obfs=http"

References
https://github.com/shadowsocks/simple-obfs
https://github.com/shadowsocks/shadowsocks-libev

OpenVPN software repository for Ubuntu 16.04

sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/<version> <osrelease> main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update && apt-get install openvpn

References
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos